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CNj . Abstract 



Randomization of quantum states is the quantum analogue of the classical one-time pad. We present 
an improved, efficient construction of an approximately randomizing map that uses 0(d/e 2 ) Pauli op- 
erators to map any d-dimensional state to a state that is within trace distance e of the completely 
mixed state. Our bound is a log<i factor smaller than that of Hayden, Leung, Shor, and Winter [TJ, and 
Ambainis and Smith [5]. 

Then, we show that a random sequence of essentially the same number of unitary operators, chosen 
from an appropriate set, with high probability form an approximately randomizing map for d-dimensional 
states. Finally, we discuss the optimality of these schemes via connections to different notions of pseu- 
' dorandomness, and give a new lower bound for small e. 



1 Introduction 
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1.1 Encryption of quantum states 

Randomization of quantum states is a procedure analogous to encryption of classical messages such as in 
the "one-time pad". Imagine that two parties wish to exchange sensitive data in the form of quantum 
states over an insecure quantum communication channel. They would like to encrypt the quantum data so 
that any eavesdropper with access to the channel will not gain any information about the data. The idea 
is to use a secret key, such as a uniformly random bit string, to transform a quantum state so that without 
access to the key, an adversary is unable to distinguish two different encrypted states, when averaged over 
the random choice of key. Equivalently, every state is mapped to the same mixed state by the encryption 
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procedure. The encrypted state may then be sent over the insecure channel, and the receiver, who also 
knows the key may decrypt to recover the message. 



It has been known for several years that applying an independently chosen random Pauli operator to each 
qubit of an n-qubit state maps it to the completely mixed state 1/2™. This gives rise to a scheme for perfect 
encryption of n-qubit quantum states with 2n secret uniformly random classical bits [H 0] . This was also 
shown to be optimal in terms of the number of bits of key required [6j [U [H [12] . 

The requirement of perfect encryption may be relaxed a little without compromising security, so that 
the encrypted states are all close to being completely mixed, rather than being exactly so. By using 
a probabilistic argument, Hayden, Leung, Shor, and Winter [7] showed that the number of bits of key 
required then drops by a factor of approximately 2: to approximately randomize n-qubit states to within e 
of I/2 n (in trace norm), we need at most n + logn + 2 log - + 0(1) bits of key. Subsequently, Ambainis 
and Smith [5] gave an efficient (quadratic time) scheme for approximate state randomization with respect 
to the trace norm using 

n + min |21ogn + 2 log -, logn + 3 log -1 + 0(1) 

bits of key. Their construction is based on small-bias spaces (see, e.g., Ref. [llj). They also showed how 
to reduce the key length to n + 2 log ^ at the cost of increasing the length of the ciphertext by 2n bits. 

The amount of key required for approximate encryption with respect to the Hilbert-Schmidt norm and the 
operator norm has been studied by Kerenidis and Nagaj [9]- They show that key length is quite sensitive 
to the norm chosen to specify the security requirement. 

In this article, we revisit approximate randomization with respect to the trace norm, which reflects most 
closely our ability to physically distinguish quantum states. We first observe that an explicit scheme of 
Ambainis and Smith may be improved by using an optimal construction of small-bias spaces due to Alon, 
Goldreich, Hastad, and Peralta [3j. This reduces the key size to n + 2 log 7 + 4, and avoids the need for 
ciphertext that is longer than the original message. This construction avoids another rather subtle issue. 
The length-preserving schemes suggested in Ref. [5] require that the two communicating parties agree on a 
prime number of length 0(n). Since there is no known polynomial-time deterministic procedure to generate 
a prime number of a specified length, additional communication is required to establish this shared prime 
number. (The prime may be generated locally by one party by a randomized procedure.) The encryption 
and decryption procedures we suggest require a common irreducible polynomial over GF(2) of degree 0(n), 
which may be computed independently by the two parties using an efficient deterministic algorithm due 
to Shoup [15]. 

Next, we investigate collections of unitary operators that give rise to approximately randomizing maps. 
We show by a probabilistic argument that any sequence of 




unitary operators chosen independently from a perfectly randomizing set with high probability defines an 
approximately randomizing map for d-dimensional quantum states. 

A simple rank argument shows that at least d(l — 4) unitary operators are always needed, for approximate 
encryption in d dimensions. No better lower bound is known. Methods for showing lower bounds for 
perfect encryption all fail, since they crucially rely on the property of completely randomizing maps to 
destroy all quantum correlation between the encrypted state and any state previously entangled to it. 
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We take a different approach, and derive necessary conditions on distributions over Pauli operators that 
correspond to approximately randomizing maps. These conditions are similar to notions such as "almost 
n-wise independence" in the theory of pseudorandom distributions (see, e.g., Ref. [11]). As a corollary, we 
get a tighter lower bound on randomizing sets of Pauli operators in the regime of exponentially small e. 

We describe our results more formally in the following two subsections, and then prove them in the 
remaining sections. 



1.2 Preliminaries 



We refer the reader to the text [13] or the lecture notes p3] for definitions of basic concepts in quantum 
information. 

Let L(W) denote the space of linear operators on the Hilbert space 7i. This includes the cone of positive 
semi-definite operators (density operators) on TC. Let U(7Y) denote the set of unitary linear operators on 
the Hilbert space Ti. 



Definition 1.1 Let e > 0. A completely positive, trace-preserving (CPTP) linear operator R : L(C rf ) — * 
L(C d ) is said to be e-randomizing with respect to the norm \\ ■ \\ if, for all density operators (mixed states) p G 
L(C d ), 



R(p) 



I 



< e. 



We say that R is completely randomizing if e = 0. 



Remark 1.1 Due to convexity, a map R that randomizes all pure states (rank 1 density operators) also 
randomizes all mixed states to the same extent. 



We will mainly discuss randomization with respect to the trace norm. For any linear operator M £ L(C rf ), 
the trace norm is defined by || M [| tr = Trv 7 M^M. Equivalently, it is the sum of the singular values 
of M, and therefore also referred to as the "1-norm". The trace norm is arguably a more appropriate 
measure of distinguishability in the context of eavesdropping, since it is directly related to information 
that measurements reveal about quantum states. We will also use the Frobenius (or Hilbert-Schmidt) 
norm in our proofs. This norm is defined as [| M \\ F = i^/Tr(Mt M). Since this is the £2 norm of the vector 
of singular values of M, this is also referred to as the "2-norm" by some authors. 

Randomizing maps are easy to construct. For example, the map R : p i— ► Tr(p)^ is completely randomizing. 
However, these maps are most useful when they can be inverted by a quantum operation to recover the 
original state, as is required in the case of encryption. 

The protocols for encryption we study involve two parties, labeled Alice and Bob, who share a secret, 
uniformly random bit-string, called the private key k. Alice wishes to send a ci-dimensional quantum 
state p to Bob. She would like to apply an invertible quantum operation [12] to the state, and send it 
to Bob so that when averaged over k, the map is randomizing. This would ensure that no eavesdropper 
be able to distinguish two different messages with non-trivial probability. Such protocols have also been 
called "private quantum channels" by some authors (see, e.g., Ref. [1]). We have implicitly assumed that 
the quantum channel is noiseless unless an eavesdropper tampers with it. Therefore Bob, who also has the 
key k, can apply the inverse operation to decrypt the message p perfectly. 
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A natural way to create such an invertible randomizing operator is to select a sequence of unitary opera- 
tors Ui, . . . , U m and define 

1 m 

R(p) = -Y, U iP U l (!) 

i=l 

Here, the index i corresponds to the shared secret key held by the communicating parties, and is unknown 
to any eavesdropper. With a suitable choice of unitary operators the map R would be e-randomizing. 
In fact, any orthogonal set of unitary operations on C rf , such as the set of d 2 Pauli operators, form a 
completely randomizing map [6]. 

The most general one-way encryption scheme may in addition involve an ancilla that depends upon the 
key m\- 

R (P) = -T,Ui(p®<Ti)Ul 

i=l 

This is slightly more general than the form claimed in Ref. [4j. However, the results in the latter article 
extend to the more general maps above (see also Ref. [8]). This general form of encryption uses more qubits 
in the ciphertext than originally present in the message, which is undesirable from an efficiency point of 
view. We will only study randomizing maps as in equation (pfj) , which correspond to encryption without 
ancilla. 

The randomizing maps we construct will involve the Pauli operators. We will denote the Pauli operators 
on a single qubit by I, X, Y, Z: 

'=(;;)■ *=(;;)• *=(;-!)• ™ (?-;)■ 

These operators are unitary, Hermitian, and they square to the identity. The non-identity Pauli matrices 
anti-commute with other non-identity Pauli matrices. For example, XY = — YX. Where the overall phase 
of 'i' is irrelevant, we will substitute Y with the matrix XZ. 

For two re-bit strings a, b, let |aA6| = X^=i a j^j- We will often represent a tensor product of n single 
qubit Pauli operators by a string of 2re bits (a, b) £ {0, l} 2n using the correspondence 

(a, b) <-» il^6| X a Z b , where (2) 
X a = X ai ®X a2 ® •••<g>X a ™, 

and Z b is defined similarly. Let P n denote the set |il aAb lx a Z fe : (a, b) G {0, 1} 2 ™| of all tensor products of n 
single qubit Pauli operators. 

For two n-bit strings a,b E {0, 1}™, considered as elements of GF(2) n , the standard scalar product is defined 
as (u,x) = ^ ii UiXi (mod 2). The symplectic inner product of a pair of 2n-bit strings (a, b) and (c, d), 
considered as elements of GF(2) 2n , is given by {a,d) + (b, c) (mod 2). The symplectic inner product tells 
us when two Pauli operators commute: X a Z b commutes with X°Z d if and only if the symplectic inner 
product of (a, b) and (c, d) is 0. 

A distribution p over {0, \y n defines a CPTP map on n qubits via the above bijection: 

R p (p) = p{a,b)X a Z b pZ b X a . (3) 

(a,6)G{0,l} 2n 
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We will study randomizing maps of this form more closely. A special case is when p is uniformly distributed 
over a set S C {0, lY n . In this case, we will denote the associated CPTP map by Rs- 

The single qubit Pauli operators Pi form an orthogonal basis for L(C 2 ) under the inner product (A, B) = 
Tz(B*A). The set P n of 2 2n tensor products of n such Pauli operators similarly form an orthogonal basis 
for L(C 2 ™). There are also bases of d 2 orthogonal unitary operators on L(C d ) for general dimension d (that 
is not a power of 2). 

We will also make use of the concept of a stabilizer state [131 Section 10.5.1, page 454]. A stabilizer 
group G is an abelian group generated by a subset T C P„ of the Pauli operators on n qubits. Each 
stabilizer group G defines a linear subspace Cq of C 2 " which is the common +l-eigenspace of all the Pauli 
operators in G. If G is generated by k independent Pauli operators, and does not contain —I, then the 
linear subspace Cq has dimension 2 n ~ k . By a stabilizer state, we will mean a pure state which spans the 
one dimensional subspace Cq stabilized by a group G of order 2 n . 

Every stabilizer group generated by k independent Pauli matrices may be specified by listing its generators 
row-wise in a k x 2n boolean matrix M via the bijection in equation (|2|). Since the generators all commute, 
different rows of the matrix have symplectic inner product with each other. For a 2n-bit vector w = (u, v), 
let M-w denote the /c-bit vector obtained by taking the symplectic inner product of the k rows of M with w. 

1.3 Statement of Results 

The problem we address in this paper is the construction of approximately randomizing maps which 
preserve the number of qubits in the message. 

First, in Section [21 we describe an an explicit construction for a sequence of unitaries that approximately 
randomize. This construction combines the work of Refs. [5l[3l[T5] to give an improvement over the explicit 
construction by Ambainis and Smith [5]. 

Theorem 1.2 For any e G (0,2], and dimension d = 2 n , there is a sequence of m = unitary opera- 
tions {U{ : 1 < i < m}, each a tensor product of Pauli operators, such that the map 

i=l 

is e-randomizing with respect to the trace norm. The sequence of Pauli operators defining Ui may be 
determined from the index i in time 0((logm) 4 ) = 0(n 4 ). 

Remark 1.3 The notation 0(T) above suppresses factors poly-logarithmic in T. Since there is an linear- 
time completely randomizing map consisting of a sequence of d 2 unitary operators, the above theorem is 
only useful when e > 4/\/^ = 4/2 n//2 . We were therefore able to assume that logm = logci+21og - + 0(1) = 
O(n). 

Next, we study which sequences of unitary operations are suitable for approximate encryption. In Section [31 
we prove that almost all sequences of 0( In ~) unitary operations form an e approximately randomizing 
map for d dimensional states. 
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Theorem 1.4 For all e S (0, 2], a random sequence ofm = In (^) unitary operations {Ui : 1 < i < m} 
in U(C rf ) defines a map 

i=l 

and R is e-randomizing with respect to the trace norm, with probability at least 1 — e~ d ^ 2 . Each unitary 
operation U{ may be chosen independently from an arbitrary distribution over U(C rf ) that gives rise to a 
completely randomizing map. 

In the above theorem, each unitary in the sequence may be chosen independently according to an arbitrary 
completely randomizing distribution of unitaries, not necessarily the same for each i. For instance, it may 
be chosen according to the Haar measure on XJ(C d ), or the uniform distribution over any orthogonal unitary 
basis for U(C d ). For the case that p is an n-qubit state, the unitary operators can be chosen from among 
the Pauli operators, which are particularly simple operators. 

Theorem 11.41 is in general incomparable to Theorem II. 2 of Hayden et al. [7j. Our theorem reduces by a 
factor of log d the number of unitaries required for approximate encryption in the trace norm. However, it 
does not imply the stronger bound of e/d with respect to the spectral norm ("oo-norm") on the distance 
from the completely mixed state, even with a logd factor more unitaries. 

We conjecture that the construction of the approximately randomizing map in Theorem 11.21 is optimal in 
the use of secret key bits, up to an additive constant. We are unable to establish this rigorously at present, 
but take some steps towards this. 

We derive conditions on distributions over {0, l} 2n that define randomizing maps. These conditions are 
similar in flavour to other notions of pseudo-randomness such as "almost fc-wise independence" . We believe 
these will help prove the optimality of our constructions. 

Theorem 1.5 Let R p be a CPTP map on n qubits induced by a distribution p over {0, l} 2n , as in equa- 
tion Let V be the random variable corresponding to p. If R p is an e-randomizing map with respect to 
the trace norm, then the random variable M ■ V is e-close to the uniform distribution over {0, l} n in t\ 
distance for every n x 2n matrix M over GF(2) that defines a stabilizer state. 

As a corollary, we prove that any distribution corresponding to an e randomizing map (with respect to the 
trace norm) is necessarily e-biased (cf. Definition 12. II in Section [2]). This implies a new lower bound on the 
number of bits of key in the regime of extremely small e, when it is smaller than 2 - ™/ 2 . 

Corollary 1.6 Let R p be a CPTP map on n qubits induced by a distribution p over {0, l} 2n , as in equa- 
tion (djj. If R p is an e-randomizing map with respect to the trace norm, then the distribution p is e-biased. 
Therefore, if p has support S C {0, l} 2 ™, then \S\ is at least a universal constant times 
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2 An explicit randomizing set 



In this section, we prove Theorem 11.21 We describe an explicit sequence of unitary (Pauli) operators that 
are approximately randomizing. The i-th unitary in the sequence can be determined from the index i in 
polynomial time. To obtain this result, we use the connection made by Ambainis and Smith [5] between 
randomizing maps and small-bias spaces, together with a more efficient construction of such spaces due to 
Alon, Goldreich, Hastad, and Peralta [3]. 

Recall that the Pauli operators form an orthogonal basis for matrices, so we may express any density 
matrix over n qubits as 

V- Tr(Mtp) 
P = L Tr(MtM) 

= ^ aMM > 
MeP n 

where a = {cum) is a vector in C 2n with || a ||n < 2 n . The component a\/2 n of any quantum state along 
the identity operator is exactly 1/d = l/2 n . If a CPTP map E is completely randomizing, then 



mgp„ 

- li. 

2 n 

Thus, the map annihilates all the non-identity components of the state. The idea behind the construction 
for approximate randomization is to construct a map that shrinks the non-identity components of a density 
matrix sufficiently, so that it becomes close to completely mixed. Such a map may be constructed from 
small-bias sets. 

Definition 2.1 (Naor and Naor [11] ) The bias of a subset S C {0, l} k with respect to a string u € 
{0, l} k is defined as 

bms(S,u) = \E xeS (-1)<«>*> 

= |1 - 2 E xe s (u,x}\ , 

where the expectation is taken over strings x chosen uniformly at random from S, and (u, x) = Y^i u % x % 
(mod 2) is the standard scalar product over GF(2). 

The subset S C {0, l} k is said to be <5-biased if the bias with respect to every non-zero string is bounded 
by 8: bias(5, u) < 5 for all u G {0, l} k - {0 k } . 

This definition extends to arbitrary distributions p over{0, l} k in the natural way: bias(p,u) = |E (— 
where the random variable X is distributed according to p, andp is said to be 5-biased if its bias with respect 
to every non-zero string u is bounded by 5. 

The bias with respect to a string u is the bias of the XOR (exclusive OR) of the bits selected by the 
string u, i.e., the difference of the probabilities that this XOR is or 1. The set of all strings has bias zero, 
and small-bias spaces are more efficient substitutes for this set. 
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Recall from equation (|3|) in Section 11.21 that a subset of strings S C {0, l} 2n defines a CPTP map on n 
qubits as follows: 

Rsip) = ,4 E x"zVz b x a . (4) 

If we choose S = {0, l} 2n , we get a completely randomizing map. Ambainis and Smith showed that if we 
choose S to be a 5-biased set, then the operator Rs scales every non-identity Pauli operator by a factor at 
most 5. We then get an e-randomizing map by setting 5 to be suitably small, namely, e • 2~ n / 2 . 

Proposition 2.1 (Ambainis and Smith [5]) Let S C {0, l} 2 ™ be a set with bias at most e/2 n / 2 . Then 
the map Rs as defined in equation ^) is an e-randomizing map with respect to the trace norm for n-qubit 
states. 

For completeness, we give a proof of this proposition in Appendix lAl 

We now use an optimal construction of 5-biased sets to get our randomizing map. 

Proposition 2.2 (Alon, Goldreich, Hastad, Peralta |3j) Letr,s be positive integers. There is a sub- 
set S C {0, l} rs , of size 2 2r , with bias at most Given a monic irreducible polynomial of degree r 
over GF(2) ; and an index 1 < i < rs, the i-th string in S may be constructed with 0(rs) multiplications 
in GF(2 r ), and a further r 2 s bit operations. 

We describe this construction in Appendix [Bl 

For our purposes, we need r, s such that the length of the strings is 2n, and the bias of the set S is at 
most e • 2~ n / 2 . In other words, 

rs = 2n, 

— < e-2~"/ 2 . 
2 r ~ 



Solving for the smallest such r, we get that the length of key 2r is at most 

2r < 



n + 2 log - + 4 

e 



So a 5-biased set of size m = 

2 2r < 16 . 2 ry £ 2 with § < £ . jj-n/2 exists . This 

gives us an e-randomizing 
map Rs with m unitary operations, corresponding to a key length of 2r, as above. 

Since a completely randomizing map exists with 2 2n unitaries, we may assume that e > 2~ n / 2 in our 
construction. In other words, we may assume that r < n. 

Given a key of length 2r, and an irreducible polynomial of degree r over GF(2), the associated tensor 
product of single qubit Pauli operators may be computed with O(rs) = O(n) multiplications in GF(2 r ), and 
a further 0(r 2 s) = 0(n 2 ) bit operations. Multiplication in GF(2 r ) can be implemented with O(rlogr) = 
O(ralogn) bit operations (see, e.g., Theorem 8.7 and its corollary on page 288, Chapter 8, in Ref. p]). The 
bit-complexity of these computations is therefore 0(n 2 log n). Furthermore, a monic irreducible polynomial 
of degree r over GF(2) may be computed by a deterministic algorithm that takes 0(r 4 ) bit operations |X5|, 
page 40, Theorem 3.6]. Thus, this part of the construction dominates the time complexity, which is in 
effect 0(n 4 ). These observations conclude the proof of Theorem 11.21 
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3 The abundance of randomizing maps 



In this section, we prove Theorem 1 1.4[ which states that there is a plethora of randomizing maps that use 
essentially the same number of bits of key as in the explicit construction. We use a probabilistic argument 
that is similar in structure to that of Hayden et al. [7]. To show that m unitaries suffice, we first show that 
a sequence of m random unitary operations approximately randomize any fixed state with high probability. 
To extend the approximate randomizing property to all states, we show that it suffices to randomize a 
set of finitely many pure states that in a certain precise sense approximately cover the unit sphere in C d . 
Finally, a "union bound" shows that with probability exponentially close to 1 every state is approximately 
randomized. 

In our argument, each unitary operator is independently distributed according to the Haar measure, or any 
other distribution over unitary operations corresponding to a completely randomizing map. In particular, 
the operators could be chosen uniformly at random from an orthogonal basis for L(C 2 "), such as the Pauli 
basis P n . 

Proof: (of Theorem 1 1.4[) Consider a sequence of m unitaries {Ui} independently chosen from a measure \i{ 
on U(C d ). We require that the measure pi give us a completely randomizing map. For any density 
matrix p G L(C rf ), and U distributed according to 

Eu UpU^ = f UprfdfH = ( 5 ) 

The sequence {Ui} define the map 

1 m 

i=l 

Fix a pure state p € L(C d ). We first bound the expected distance of R(p) from the completely mixed 
state I/d. Define the random variable Y„ as follows 



RiP) - 1 



While we may carry out a similar analysis for a mixed state p, it is sufficient (and also simpler) to restrict 
ourselves to pure states; cf. Remark I l.li 



Proposition 3.1 EY p < y d/m. 
Proof: From Corollary IA.21 we have 

Y 2 P < d \\R(p)\\ 2 F -l. (6) 

By the definition of Frobenius norm, 

\\R(p)\\ 2 F = Tr R(p) 2 

±- 2 J2 ^ (UipUf) 2 + ± £ Tr {u iP U}U jP U} 



m m 
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Here, we have used the linearity of the trace function, and the fact that Tr(<7 2 ) = 1 for any pure state 
density matrix a. 

Recall that the unitary operators XJ% are chosen randomly according to a measure satisfying equation ©. 
Taking expectation over the random choice of unitaries, we get 



E W} [Tr R(pf] = L + -LY. E {U^(^pUjU jP Uj 

i¥=3 

= ± + Tr[(E Ui U lP U})(E Uj U jP Up / 

1 m I 
= h TV — 

m d? 
11 

m d 



(8) 



(9) 



In equation (jSJ), we used the fact that U{ and Uj are chosen independently according to measures Pi,Pj- 
Putting equations © and ([9]) together gives us 



EY* 



< Jd\\R(p)\\ z F -l 



y d/m. 



the claimed bound on E Y p . ■ 

Thus, the random sequence of unitary operators {Ui} randomizes any fixed state p very well in expectation, 
provided m is chosen suitably larger than d. 

We now note that the function f p (U\, U2, • • • , U m ) defining the random variable Y p has bounded difference. 
In other words, if we replace any one of the unitaries Ui by another unitary Ui, the function value changes 
by a small amount. Denote the randomizing map given by the modified sequence 



(Ui, U2, • • • , U-i,Ui, t/j+i, . . . , U„ 



by R. Then, we have 



Mu u v,,...,Vi,--,v m )- U{u u v,,..., u m ) 



m - - d 



tr 



m - - d 



tr 



< 



< 



R(p) - R(p) 



tr 



m 
2 

m 



UipU} - UipU] 



(10) 



By the triangle inequality 



(11) 



The McDiarmid bound from probability theory states that any random variable with such a bounded 
difference property is concentrated around its mean. 
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Theorem 3.2 (McDiarmid's Inequality [10J ) Let X\, X2, ■ ■ ■ ,X m hem independent random variables, 
with Xk taking values in a set for each k. Suppose that the measurable function f : YliLi Ai ^ M. satisfies 

\f(x)-f(x')\ < Cfc 

whenever the vectors x and x' differ only in the k-th coordinate. Let Y = f(Xi,X2,...,X m ) be the 
corresponding random variable. Then for any t > 0, 

/ -2t 2 

Pr[Y-E(Y)>t] < exp —a— j 

V 2^i=i c k 

Theorem 13. 2} along with equation (jlip immediately implies that for any fixed pure state p G C° 

-S 2 7T) N 

Pr[Y p -EY p >5] < exp' 



2 

This implies, using our bound from Proposition (|3.ip on the expected value of Y p , 

5 2 m 



Pr[Y p > 5 + 4dfm\ < exp — — . (12) 



The probability that R(p) deviates from the completely mixed state decays exponentially in its distance, 
and the number of unitary operators m. We would like to extend this property to all pure states. For 
this, it suffices to randomize a suitably large, but finite, set of pure states (a "net") given by the following 
proposition (see, e.g. Ref. [7] for a proof). 



Proposition 3.3 For every < 77 < 1, there is a set A4 of pure states in C with \M\ < (5/rj) , such 
that for every pure state \<p) G C rf , there is a state \<fi) G Ai with 



< n. 

tr 

From Proposition 13.31 we know that every pure state p G C d is 77-close in trace norm to a pure state p 
from a finite set M of size |A^| < (jjj^j ■ By the triangle inequality, and the unitary equivalence of the 

trace norm, it is straightforward to show that \Y p — Y p \ < 77. Therefore, if Y p > e, then Y p > e — r] for 
some p G Ai. 

We can now bound the probability that the map R fails to randomize some pure state. 
Pr [3p :Y p >e} 

< Pr [3/5 G M. : Y p > e — rj\ From the discussion above 

< \Ai\ • Pr [Y p > e — r]} By the union bound, for the worst case state p 
5 \ / — m 



< ( — ) exp ( — — (e — 77 — \J d/m) 2 ) By equation ([12 



< e 



-d/2 



if 77 is chosen to be at most e/3, and m at least 



37cL /15 
I 1 " IT 



Thus, there is an overwhelming majority of m = 0( J? log ^) unitaries such that the corresponding map is 
randomizing to within e, with respect to the trace norm. ■ 
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4 Towards proving optimality 



The best known lower bound for an e-randonhzing map R with respect to the trace norm, defined by a 
distribution over unitary maps on n qubits, is n + log(l — |). This follows directly from a rank argument: 
consider the image of a pure state. It has rank at most m, the number of unitary matrices defining R. 
The distance of any rank m density matrix from the completely mixed state I/2 n is at least 2(1 — m ■ 2~ n ). 
Since R is e-randomizing, this distance is at most e, and the bound on the number of bits of key, which 
is log to, follows. 

The above lower bound does not reflect the amount of key required to achieve better security, as e — > 0. 
(At e = 0, the optimal number of key bits is 2n.) To get stronger bounds, we focus on the simplest and 
perhaps most natural maps, those defined by distributions of Pauli operators, as in equation ([3]). 

Recall that the n-qubit Pauli operators are in one-to-one correspondence with the set {0, l} 2n , and we 
may therefore study distributions on this set instead. We derive conditions on these distributions (stated 
in Theorem II .5j) which we believe will help prove the optimality of our constructions. As a corollary, we 
prove that any distribution corresponding to an e randomizing map (with respect to the trace norm) is 
necessarily e-biased (cf . Definition 12.1ft . This implies a new lower bound on the number of bits of key. The 
bound makes the strong dependence of key length on the parameter e explicit, while sacrificing the strong 
dependence on message length n. 

In Theorem II. 5 \ we stated constraints on distributions over Pauli matrices that are randomizing. We prove 
these constraints here by considering the action of randomizing maps on stabilizer states. 

Proof: (of Theorem ll.5p Let \tp) be an n-qubit (pure) stabilizer state, stabilized by a group whose n 
generators are given by the set T. We claim that for any Pauli operator P, the state P\ip) is either parallel 
to \ip) or orthogonal to it. 

If P commutes with every Pauli operator in T, then P\ip) is also stabilized by T: For g £ T, we have gP\vp) = 
Pyfy) = P IV*) • Since the linear subspace stabilized by T is one-dimensional, P\ip) belongs the linear span 
of If P anticommutes with some g £ T, then {\j)\P\tp) = (ip\Pg\vp) = — (if)\gP\ijj) = —(ip\P\ip) = 0. 

It follows that for any two Pauli operators P, Q, the states P\ip) and Q\vp) are either parallel or orthogonal — 
we use the matrix PQ = P^Q in the above argument. In fact, we can say something stronger. Let M 
be the n x 2n matrix representation of the generator set T. The states P\ip) and Q\ip) are parallel iff 
M -w = M -w' , where w and w' are the 2n-bit representations of the Pauli operators P and Q, respectively, 
and M ■ z is the vector of symplectic inner products of the rows of M with z. This is because 

M ■ w = M ■ w' iff M ■ (w + w') = 0, 

which is equivalent to saying that PQ commutes with the stabilizer. 

Let \t/j x ) be a canonical pure state in the linear span of P\ip), where P is any Pauli matrix such that M-w = 
x, and w £ {0, l} 2ra represents P. Since the n generators in T are independent, the matrix M has rank n. 
Therefore, the image of set {0, l} 2n under M is all of {0, l} n , the states \ip x ) are well-defined as x ranges 
in {0, l} n , and they form an orthonormal basis for C 2 . 

Now consider a randomizing map R p specified by a distribution p over {0, l} 2n , and its action on the 
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stabilizer state We use i/j^x, etc. as shorthand for the density matrices IV'XV'I) \^x){tpx\, etc. 

Rpty) = ^ p( a , b) X a Z b ^Z b X a 

(a,fe)G{0,l} 2 " 

= ^2p{a,b) 1p M -(a,b)- 
(a,b) 

This mixed state is diagonal in the basis {IV^)}) an d therefore its trace distance from the completely mixed 
state is 



E 

xG{0,l} T 



Pr[M • V 



x 



1 

2" 



where V is the random variable corresponding to the distribution p. Since R p is e-randomizing, the above 
expression is bounded by e. This is precisely the t\ distance of the random variable M ■ V from uniform 
on n-bits. ■ 

These conditions imposed by on distributions over Pauli matrices are similar to conditions such as "almost 
fc-wise independence" (see, e.g., Ref. [H]), but are not equivalent to any of the standard notions of pseudo- 
randomness. As claimed in Corollary 1 1.61 it is however a stronger notion than that of having bias at most e. 
We finish with a proof of this corollary, which also gives us a stronger lower bound for the key size for 
exponentially small e. 

Proof: (of Corollary ll.6p Consider any non-zero string w £ {0, l} 2n . Let w = (u, v), where u,v £ {0, l} n . 
We would like to show that the random bit (w, V) has bias at most e, where V is the random variable 
corresponding to the distribution p. 

We first prove this property for w such that for each i = 1, ... ,n, at least one of Ui, Vi is 1. Consider n 
stabilizer generators, the i-th. one gi defined as gi = ®j=i Pji where Pj = I for all j / i, and Pi is equal to 



Z 
X 
Y 



if ^ 
if Vi 
if Ui 



1 ¥= v i, 

1 ^ Ui, and 

1 = Vi. 



These n generators {gi} commute and are independent, and therefore specify a pure stabilizer state. This 
state is a tensor product of n single qubit Pauli eigenvectors, 



10), 



1 



V2 



(|0> + |1», 



or _L(|0) +i|l)), 



depending upon whether the i-th. generator gi has Z,X, or Y, respectively, in its i-th tensor factor. 

For i = 1, ... ,n, let ei be the n-bit string which is zero in all positions except the i-th. Then the 2n-bit 
string representing the generator gi is 



fJi 



((ei,v) e h {e h u) e» 



Consider the action of the map R p on this stabilizer state. From Theorem 11.51 we get that the random 
variable M ■ V is e close to uniform on n-bits, where M is the matrix representing the stabilizer {gi}. Its 
rows are given by the equation f)13[) . Note that M ■ V is the sequence of n bits UiVi + ViV n +i (mod 2). Any 
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distribution that is e close to uniform in £i-norm is also e-biased. Therefore, the XOR of the bits in M ■ V 
has bias at most e. The XOR is precisely the scalar product ((u,v),V) = (w,V), so we have proven the 
first part of the claim for strings w of the type described above. 

For an arbitrary non-zero string w = (u, v), we consider a string w' = (u f , v) such that u\ = 1 for all i such 
that Ui = Vi = 0, and = Ui for the remaining i. From the argument above, we have that M' ■ V is close 
to uniform, where M' is defined by the string w' . The scalar product (w, V) is the XOR of a subset of the 
bits in M' ■ V. Therefore its bias is also at most e. 

When p is uniform over a subset S C {0, l} 2n , we get that the set is e-biased, and the stated lower bound 
on its size is given in Ref. [3j equation (3), page 13]. The same lower bound holds for possibly non-uniform 
distributions p with support on the subset S [2] . ■ 
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A Proofs of some claims 



In this section of the Appendix, we present proofs of some statements made in the article. 

We use the following relation between trace norm and Frobenius norm, which is essentially an application 
of the Cauchy-Schwartz inequality. 

Proposition A.l For any rank d matrix M , \\ M [L < \fd ■ || M \\ F . 
We use this relation in the following form. 

Corollary A. 2 Let M E L(C d ) be a density matrix. Then, its trace distance from the completely mixed 
state I/d is bounded as 



M 



< d||M||J.-l. 



tr 



Proof: By the definition of Frobenius norm in terms of the trace inner product, 

2 



M 

M 

Ml 



M 

2Tr— + 

a 



d 



2 I 
- TrM + Tr-^ 

a d z 

1 

2' 



The corollary now follows from Proposition IA.ll 
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We can now prove Proposition 12.11 

Proof: (of Proposition I2.ip First, we express a state p in the Pauli basis: 



1 E «™ x " z ^ 



(«,u)e{o,i} 2 " 



where a = (a uv ) E C 2 " with || a || 2 < 2 n . 
Since X and Z anti-commute, 

i? 5 (x u z v ) = y^- E xazb ( X " Z ^) z&xa 

151 (a,6)eS 
151 {a,b)€S 

where (x, y) is the standard scalar product of two strings over GF(2), and 5 V)U G M is given by the equation 
above. Note that \5 VtU \ = bias(»S, (v,u)). Thus, if S is 5-biased, then each non-identity component of any 
density matrix will be scaled by a factor of 5: 



R siP) = 4 E a^RsprW) 



1 r ' 

(u,v)£{0,l} 2n 

= E a uv$v,u~X U Z V , 

(u,v) 

where \S V)U \ = bias(5', (v, u)) < 5 = e/2™/ 2 , for all (v,u) ^ 2n . The Frobenius norm of the randomized 
state is thus concentrated in the first term, the completely mixed state. 

\\ R s(p)\\f = 7^ E I"™' 2 ' ' I' XUZV Wf 
(u,v) 

— I 2" + V la„„| 2 ■ J 2 ■ 2" 



2 2 

< — (1 + e 2 )- 
— 2 



1 1 2 

Here, we used the bound of 2 n on || a || 2 . 
From Corollary IA.21 

||i? 5 (p)|| t 2 r < 2"|| J R 5 (p)|| 2 ,-l 
and Proposition [2TT1 now follows. ■ 
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B A construction of small bias sets 



In this section, we present the construction described in Proposition 12.21 of small-bias spaces due to Alon, 
Goldreich, Hastad, and Peralta [3j Section 5] (see the remarks at the end of the Section 5 in the reference). 
This construction is optimal in the regime of extremely small biases that we are interested in. 

Let r,s be positive integers. We would like to identify a set S C {0, l} rs of size 2 2r and with bias 
at most s2~ r . We construct S by describing a string s xy for each pair of string x,y 6 {0, l} r . We 
identify both x and y with elements of the vector space GF(2 r ) over the field GF(2) in the natural way. 
Let {ej}, i £ [r] = {0, 1, . . . , r — 1} be a basis for the vector space GF(2 r ). 

We define the string s xy bit-by-bit. For i 6 [r],j € [s], the (i,j)-th bit of s xy is given by (eiX^y). All 
multiplications in the expression eix 3 are in the field GF(2 T ), and (•,•) is the standard scalar product 
in GF(2). The string s xy is thus given by the following array of bits: 



(eo,y) 
(ei,y) 



(eox,y) 
(eix,y) 



[e x s 1 ,y) 
[exx a ~ x ,y) 



(e r -i,y) (e r -ix,y) ••• (e r -ix s 1 ,y) 

Note that computing all the rs bits of s xy takes O(rs) multiplications in GF(2 r ), and a further 0(r 2 s) bit 
operations to compute scalar products. 

It only remains to argue that the bias of the set S = {s xy } so constructed has bias at most s2~ r . 

Proposition B.l The set S = {s xy } C {0, 1} TS constructed as above has bias at most 

Proof: Let u G {0, l} rs be any non-zero string. For any string s xy £ S, we have 

(u,s xy ) = ^2 Uij(eiX j ,y) 
ie[r],je[s] 



( ^Uijdx 3 , y 
(Pu{x),y), 



where 



Pu{x) 



j£[s] \ie[r] 

is a polynomial in x with coefficients in GF(2 r ) and with degree at most s — 1. Since u is non-zero, and {e^} 
are linearly independent, the polynomial p u is not identically 0. 

The bias of S with respect to u is then given by 

bias(5, u) = |1 - 2 E xy (u, s xy )\ 

1 - 2 Pr[<«, s xy ) = 1] 

xy 

l-2Pv[( Pu (x),y) = 1] 

xy 
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We may estimate the above probability as 

Pr[(p u (x),j/) = 1] = Pr[(p u (x),y) = l|p u (a:)^0]-Pr[ Pu (a;)^0] 

xy xy x 

= ~ Vr\p u (x) ^ 0], 

since the scalar product of any non-zero p u (x) with a uniformly random y has zero bias. Putting these 
together, we have 

biasfS", u) = 1 - Pr[p u (x) ^ 0] 

x 

= Pr[p u (x)=0] 

S - 1 

since any non-zero polynomial of degree s — 1 has at most s — 1 roots in any field. ■ 
This finishes the description of the small bias set in Proposition 12.21 
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